“Even obscure blogs get picked up,” Gundert says.
For most people, GoSecure’s blog post went unnoticed. With so many competing reports, if a blog post doesn’t get much traction within defender communities, the potential attack vector it discusses is effectively overlooked. On the other side of the divide, however, attackers are discussing the flaw and sharing information and tools for exploiting it.
Waiting for vendors makes you more vulnerable
One reason why attackers get such a big jump on vendors and security pros is the vulnerability announcement process itself.
Vendor announcements are typically tied to when a security flaw gets a Common Vulnerability and Exposures (CVE) identifier. The CVE system is maintained by MITRE Corp., a nonprofit that acts as a central repository for publicly known information security vulnerabilities. When someone finds a security vulnerability -- whether it’s the application owner, a researcher, or a third-party entity acting as a broker -- MITRE receives a request for a new CVE.
Once MITRE assigns an identifier, akin to a Social Security number for vulnerabilities, the security industry, vendors, and enterprises have a way to identify, discuss, and share details of the flaw so that it can be fixed. In cases where the initial disclosure does not come from vendors, such as with the Java object serialization flaw, attackers have a head start over defenders still waiting for the CVE to be assigned.
This time difference is critical. Of course, with so many vulnerabilities to research, assess, and mitigate, but only finite security resources available to combat them, filtering out vulnerability reports based on whether the flaw has a CVE assigned is a “reasonable attitude,” and lets organizations err on the side of caution, says Nicko van Someren, CTO of Linux Foundation. The implication is that once a bug has a CVE, it exists and needs attention.
But lately, the CVE system itself has become a bottleneck. Several security professionals complain they cannot obtain CVEs for vulnerabilities from MITRE in a timely manner. The delay has an impact -- it is difficult to coordinate fixing a bug with software makers, partners, and other researchers if there isn’t a system to make sure everyone is referring to the same issue. Part of the current problem is scale, as the software industry is bigger than it was a decade ago, and vulnerabilities are found in greater quantities. As Recorded Future’s analysis showed, the delay in assigning the CVE gives attackers time to develop and refine their tools and techniques.
“There are lots of people that believe if there isn't a CVE then it isn't a real issue, and that is a huge problem,” says Jake Kouns, CISO of Risk Based Security.
Sign up for CIO Asia eNewsletters.